04.083GPPMobile radio interface Layer 3 specificationRelease 1998TS
As described in sub-clause 4.1.1, a MM common procedure can be initiated at any time whilst a RR connection exists between the network and the mobile station.
4.3.1 TMSI reallocation procedure
The purpose of the TMSI reallocation procedure is to provide identity confidentiality , i.e. to protect a user against being identified and located by an intruder (see 3GPP TS 02.09 and 03.20).
If the identity confidentiality service is applied for an IMSI, a Temporary Mobile Subscriber Identity (TMSI) is used for identification within the radio interface signalling procedures.
The structure of the TMSI is specified in 3GPP TS 03.03. The TMSI has significance only within a location area. Outside the location area it has to be combined with the Location Area Identifier (LAI) to provide for an unambiguous identity.
Usually the TMSI reallocation is performed at least at each change of a location area. (Such choices are left to the network operator).
The reallocation of a TMSI can be performed either by a unique procedure defined in this sub-clause or implicitly by a location updating procedure using the TMSI. The implicit reallocation of a TMSI is described together with that procedure.
If a TMSI provided by a mobile station is unknown in the network e.g. due to a data base failure, the network may require the mobile station to provide its International Mobile Subscriber Identity (IMSI). In this case the identification procedure (see sub-clause 4.3.3) should be used before the TMSI reallocation procedure may be initiated.
The TMSI reallocation can be initiated by the network at any time whilst a RR connection exists between the network and the mobile station.
NOTE 1: Usually the TMSI reallocation is performed in ciphered mode.
NOTE 2: Normally the TMSI reallocation will take place in conjunction with another procedure, e.g. at location updating or at call setup (see 3GPP TS 09.02).
18.104.22.168 TMSI reallocation initiation by the network
The network initiates the TMSI reallocation procedure by sending a TMSI REALLOCATION COMMAND message to the mobile station and starts the timer T3250.
The TMSI REALLOCATION COMMAND message contains a new combination of TMSI and LAI allocated by the network or a LAI and the IMSI if the used TMSI shall be deleted. Usually the TMSI-REALLOCATION COMMAND message is sent to the mobile station using a RR connection in ciphered mode (see 3GPP TS 03.20).
22.214.171.124 TMSI reallocation completion by the mobile station
Upon receipt of the TMSI REALLOCATION COMMAND message the mobile station stores the Location Area Identifier (LAI) in the SIM. If the received identity is the IMSI of the relevant mobile station, the mobile station deletes any TMSI. If the received identity is a TMSI the mobile station stores the TMSI in the SIM. In both cases the mobile station sends a TMSI REALLOCATION COMPLETE message to the network.
126.96.36.199 TMSI reallocation completion in the network
Upon receipt of the TMSI REALLOCATION COMPLETE message, the network stops the timer T3250 and either considers the new TMSI as valid or, if an IMSI was sent to the mobile station, considers the old TMSI as deleted.
If the RR connection is no more needed, then the network will request the RR sublayer to release it (see sub-clause 3.5).
188.8.131.52 Abnormal cases
Mobile station side:
– The mobile station shall consider the new TMSI and new LAI, if any, as valid and the old TMSI and old LAI as deleted as soon as a TMSI REALLOCATION COMMAND or another message containing a new TMSI (e.g. LOCATION UPDATING ACCEPT) is correctly received. Any RR connection failure at a later stage shall not have any impact on the TMSI and LAI storage.
(a) RR connection failure:
If the RR connection is lost before the TMSI REALLOCATION COMPLETE message is received, all MM connections (if any) shall be released and both the old and the new TMSIs should be considered as occupied for a certain recovery time.
During this period the network may:
– use the IMSI for paging in the case of network originated transactions on the CM layer. Upon response from the mobile station the TMSI reallocation is restarted;
– consider the new TMSI as valid if it is used by the mobile station in mobile originated requests for RR connection;
– use the Identification procedure followed by a new TMSI reallocation if the mobile station uses the old TMSI.
Other implementations are possible.
(b) Expiry of timer T3250:
The TMSI reallocation is supervised by the timer T3250 in the network. At the first expiry of timer T3250 the network may release the RR connection. In this case, the network shall abort the reallocation procedure release all MM connections if any, and follow the rules described for RR connection failure above.
mobile station network
TMSI REAL CMD
<—————- Start T3250
TMSI REAL COM
—————–> Stop T3250
Figure 4.1/3GPP TS 04.08: TMSI reallocation sequence
4.3.2 Authentication procedure
The purpose of the authentication procedure is twofold:
– First to permit the network to check whether the identity provided by the mobile station is acceptable or not (see 3GPP TS 03.20).
– Second to provide parameters enabling the mobile station to calculate a new ciphering key.
The cases where the authentication procedure should be used are defined in 3GPP TS 02.09.
The authentication procedure is always initiated and controlled by the network.
184.108.40.206 Authentication request by the network
The network initiates the authentication procedure by transferring an AUTHENTICATION REQUEST message across the radio interface and starts the timer T3260. The AUTHENTICATION REQUEST message contains the parameters necessary to calculate the response parameters (see 3GPP TS 03.20). It also contains the ciphering key sequence number allocated to the key which may be computed from the given parameters.
220.127.116.11 Authentication response by the mobile station
The mobile station shall be ready to respond upon an AUTHENTICATION REQUEST message at any time whilst a RR connection exists. It shall process the challenge information and send back an AUTHENTICATION RESPONSE message to the network. The new ciphering key calculated from the challenge information shall overwrite the previous one and be stored on the SIM before the AUTHENTICATION RESPONSE message is transmitted. The ciphering key stored in the SIM shall be loaded in to the ME when any valid CIPHERING MODE COMMAND is received during an RR connection (the definition of a valid CIPHERING MODE COMMAND message is given in sub-clause 18.104.22.168). The ciphering key sequence number shall be stored together with the calculated key.
22.214.171.124 Authentication processing in the network
Upon receipt of the AUTHENTICATION RESPONSE message, the network stops the timer T3260 and checks the validity of the response (see 3GPP TS 03.20).
126.96.36.199 Ciphering key sequence number
The security parameters for authentication and ciphering are tied together in sets, i.e. from a challenge parameter RAND both the authentication response SRES and the ciphering key can be computed given the secret key associated to the IMSI.
In order to allow start of ciphering on a RR connection without authentication, the ciphering key sequence numbers are introduced. The sequence number is managed by the network in the way that the AUTHENTICATION REQUEST message contains the sequence number allocated to the key which may be computed from the RAND parameter carried in that message.
The mobile station stores this number with the key, and indicates to the network in the first message (LOCATION UPDATING REQUEST, CM SERVICE REQUEST, PAGING RESPONSE, CM RE-ESTABLISHMENT REQUEST) which sequence number the stored key has. When the deletion of the sequence number is described this also means that the associated key shall be considered as invalid.
The network may choose to start ciphering with the stored key (under the restrictions given in 3GPP TS 02.09) if the stored sequence number and the one given from the mobile station are equal.
188.8.131.52 Unsuccessful authentication
If authentication fails, i.e. if the response is not valid, the network may distinguish between the two different ways of identification used by the mobile station:
– the TMSI was used;
– the IMSI was used.
If the TMSI has been used, the network may decide to initiate the identification procedure. If the IMSI given by the mobile station then differs from the one the network had associated with the TMSI, the authentication should be restarted with the correct parameters. If the IMSI provided by the MS is the expected one (i.e. authentication has really failed), the network should proceed as described below.
If the IMSI has been used, or the network decides not to try the identification procedure, an AUTHENTICATION REJECT message should be transferred to the mobile station.
After having sent this message, all MM connections in progress (if any) are released and the network should initiate the RR connection release procedure described in sub-clause 3.5.
Upon receipt of an AUTHENTICATION REJECT message, the mobile station shall set the update status in the SIM to U3 ROAMING NOT ALLOWED, delete from the SIM the stored TMSI, LAI and ciphering key sequence number. The SIM shall be considered as invalid until switching off or the SIM is removed.
If the AUTHENTICATION REJECT message is received in the state IMSI DETACH INITIATED the mobile station shall follow sub-clause 184.108.40.206.
If the AUTHENTICATION REJECT message is received in any other state the mobile station shall abort any MM specific, MM connection establishment or call re-establishment procedure, stop any of the timers T3210 or T3230 (if running), release all MM connections (if any), start timer T3240 and enter the state WAIT FOR NETWORK COMMAND, expecting the release of the RR connection. If the RR connection is not released within a given time controlled by the timer T3240, the mobile station shall abort the RR connection. In both cases, either after a RR connection release triggered from the network side or after a RR connection abort requested by the MS-side, the MS enters state MM IDLE, substate NO IMSI.
220.127.116.11 Abnormal cases
(a) RR connection failure:
Upon detection of a RR connection failure before the AUTHENTICATION RESPONSE is received, the network shall release all MM connections (if any) and abort any ongoing MM specific procedure.
(b) Expiry of timer T3260:
The authentication procedure is supervised on the network side by the timer T3260. At expiry of this timer the network may release the RR connection. In this case the network shall abort the authentication procedure and any ongoing MM specific procedure, release all MM connections if any, and initiate the RR connection release procedure described in sub-clause 3.5.
mobile station network
<—————— Start T3260
——————> Stop T3260
< – – – – – – – – –
Figure 4.2/3GPP TS 04.08: Authentication sequence: (a) authentication; (b) authentication rejection
4.3.3 Identification procedure
The identification procedure is used by the network to request a mobile station to provide specific identification parameters to the network e.g. International Mobile Subscriber Identity, International Mobile Equipment Identity (cf. 3GPP TS 03.03). For the presentation of the IMEI, the requirements of 3GPP TS 02.09 apply.
18.104.22.168 Identity request by the network
The network initiates the identification procedure by transferring an IDENTITY REQUEST message to the mobile station and starts the timer T3270. The IDENTITY REQUEST message specifies the requested identification parameters in the identity type information element.
22.214.171.124 Identification response by the mobile station
The mobile station shall be ready to respond to an IDENTITY REQUEST message at any time whilst a RR connection exists.
Upon receipt of the IDENTITY REQUEST message the mobile station sends back an IDENTITY RESPONSE message. The IDENTITY RESPONSE message contains the identification parameters as requested by the network.
Upon receipt of the IDENTITY RESPONSE the network shall stop timer T3270.
126.96.36.199 Abnormal cases
(a) RR connection failure:
Upon detection of a RR connection failure before the IDENTITY RESPONSE is received, the network shall release all MM connections (if any) and abort any ongoing MM specific procedure.
(b) Expiry of timer T3270:
The identification procedure is supervised by the network by the timer T3270. At expiry of the timer T3270 the network may release the RR connection. In this case, the network shall abort the identification procedure and any ongoing MM specific procedure, release all MM connections if any, and initiate the RR connection release procedure as described in sub-clause 3.5.
mobile station network
<———————– Start T3270
———————–> Stop T3270
Figure 4.3/3GPP TS 04.08: Identification sequence
4.3.4 IMSI detach procedure
The IMSI detach procedure may be invoked by a mobile station if the mobile station is deactivated or if the Subscriber Identity Module (see 3GPP TS 02.17) is detached from the mobile station. A flag (ATT) broadcast in the SYSTEM INFORMATION TYPE 3 message on the BCCH is used by the network to indicate whether the detach procedure is required. The value of the ATT flag to be taken into account shall be the one broadcast when the mobile station was in MM idle.
The procedure causes the mobile station to be indicated as inactive in the network.
188.8.131.52 IMSI detach initiation by the mobile station
The IMSI detach procedure consists only of the IMSI DETACH INDICATION message sent from the mobile station to the network. The mobile station then starts timer T3220 and enters the MM sublayer state IMSI DETACH INITIATED.
If no RR connection exists, the MM sublayer within the mobile station will request the RR sublayer to establish a RR connection. If establishment of the RR connection is not possible because a suitable cell is not (or not yet) available then, the mobile station shall try for a period of at least 5 seconds and for not more than a period of 20 seconds to find a suitable cell. If a suitable cell is found during this time then, the mobile station shall request the RR sublayer to establish an RR connection, otherwise the IMSI detach is aborted.
If a RR connection exists, the MM sublayer will release locally any ongoing MM connections before the IMSI DETACH INDICATION message is sent.
The IMSI detach procedure may not be started if a MM specific procedure is active. If possible, the IMSI detach procedure is then delayed until the MM specific procedure is finished, else the IMSI detach is omitted.
184.108.40.206 IMSI detach procedure in the network
When receiving an IMSI DETACH INDICATION message, the network may set an inactive indication for the IMSI. No response is returned to the mobile station. After reception of the IMSI DETACH INDICATION message the network shall release locally any ongoing MM connections, and start the normal RR connection release procedure (see sub-clause 3.5).
Only applicable for a network supporting VGCS: If an IMSI DETACH INDICATION message is received from the talking mobile station in a group call while the network is in service state MM CONNECTION ACTIVE (GROUP TRANSMIT MODE), the network shall release locally the ongoing MM connection and then go to the service state GROUP CALL ACTIVE.
220.127.116.11 IMSI detach completion by the mobile station
Timer T3220 is stopped when the RR connection is released. The mobile station should, if possible, delay the local release of the channel to allow a normal release from the network side until T3220 timeout. If this is not possible (e.g. detach at power down) the RR sublayer on the mobile station side should be aborted.
18.104.22.168 Abnormal cases
If the establishment of an RR connection is unsuccessful, or the RR connection is lost, the IMSI detach is aborted by the mobile station.
mobile station network
IMSI DET IND
Figure 4.4/3GPP TS 04.08: IMSI detach sequence
4.3.5 Abort procedure
The abort procedure may be invoked by the network to abort any on-going MM connection establishment or already established MM connection. The mobile station shall treat ABORT message as compatible with current protocol state only if it is received when at least one MM connection exists or an MM connection is being established.
22.214.171.124 Abort procedure initiation by the network
The abort procedure consists only of the ABORT message sent from the network to the mobile station. Before the sending of the ABORT message the network shall locally release any ongoing MM connection. After the sending the network may start the normal RR connection release procedure.
The Cause information element indicates the reason for the abortion. The following cause values may apply:
– # 6: Illegal ME;
– #17: Network failure.
126.96.36.199 Abort procedure in the mobile station
At the receipt of the ABORT message the mobile station shall abort any MM connection establishment or call re-establishment procedure and release all MM connections (if any). If cause value #6 is received the mobile station shall delete any TMSI, LAI and ciphering key sequence number stored in the SIM, set the update status to ROAMING NOT ALLOWED (and store it in the SIM according to sub-clause 188.8.131.52) and consider the SIM invalid until switch off or the SIM is removed. As a consequence the mobile station enters state MM IDLE, substate NO IMSI after the release of the RR connection.
The mobile station shall then wait for the network to release the RR connection – see sub-clause 184.108.40.206.
4.3.6 MM information procedure
The MM information message support is optional in the network.
The MM information procedure may be invoked by the network at any time during an RR connection.
220.127.116.11 MM information procedure initiation by the network
The MM information procedure consists only of the MM INFORMATION message sent from the network to the mobile station. During an RR connection, the network shall send none, one, or more MM INFORMATION messages to the mobile station. If more than one MM INFORMATION message is sent, the messages need not have the same content.
NOTE: The network may be able to select particular instants where it can send the MM INFORMATION message without adding delay to, or interrupting, any CM layer transaction, e.g. immediately after the AUTHENTICATION REQUEST message.
18.104.22.168 MM information procedure in the mobile station
When the mobile station (supporting the MM information message) receives an MM INFORMATION message, it shall accept the message and optionally use the contents to update appropriate information stored within the mobile station.
If the mobile station does not support the MM information message the mobile station shall ignore the contents of the message and return an MM STATUS message with cause #97.